Wintermute warns Pectra upgrade leaves Ethereum users at risk of automated attacks

Bitget App

Trade smarter

The Block2025/05/31 16:00

By:By Zack Abrams

Quick Take An update included in Ethereum’s recent “Pectra” upgrade, intended to improve ease-of-use for users, has mostly been used by automated “sweeper” attacks to drain unsuspecting wallets, according to an analysis by Wintermute. Over 80% of EIP-7702 delegations, one function introduced in the upgrade, were devoted to a single malicious script, Wintermute found. One user lost nearly $150,000 to a phishing attack enabled by the script, according to blockchain security firm Scam Sniffer.

Wintermute warns Pectra upgrade leaves Ethereum users at risk of automated attacks image 0

A recent Ethereum upgrade has mostly been used by malicious attackers seeking to drain wallets, according to an analysis by crypto trading firm Wintermute.

EIP-7702, an account-abstraction upgrade included in Ethereum's recent "Pectra" hard fork , is designed to improve ease of user experience by allowing wallets to temporarily behave like smart contracts, batching multiple actions, sponsoring gas fees, using passkey or social-authentication, or implementing spending limits in a single transaction. EIP-7702 was initially proposed and championed by Ethereum co-founder Vitalik Buterin.

However, over 80% of EIP-7702 delegations were authorized to multiple contracts with copy-pasted versions of the same basic code, which automatically "sweeps" wallets with leaked keys and sends the contents to the attacker who deployed the contract, according to Wintermute's Dune dashboard . Wintermute nicknamed the contract "CrimeEnjoyor."

"The CrimeEnjoyor contract is short, simple, and widely reused," Wintermute wrote on X. "This one copy-pasted bytecode now accounts for the majority of all EIP-7702 delegations. It’s funny, bleak, and fascinating at the same time."

Blockchain security firm Scam Sniffer recently identified a wallet that lost nearly $150,000 through a malicious batched transaction with links to the Inferno Drainer scam-as-a-service, a longtime nuisance in the crypto security space.

Security firm SlowMist also detailed the risks of EIP-7702 adoption in a recent analysis . "Wallet service providers should quickly support EIP-7702 transactions and, when users sign delegations, should prominently display the target contract to reduce the risk of phishing attacks," SlowMist wrote.

"As we predicted, the phishing gangs have caught up," wrote SlowMist founder Yu Xian on X . "Everyone should be vigilant, be careful that the assets in your wallet will be taken away."

Though EIP-7702 introduces a new way for automated attacks, security expert Taylor Monahan said the key issue was the underlying compromise of users' private keys.

"It's not actually a 7702 issue, its the same issue crypto has had since day one: end users struggle to secure their private keys," Monahan told the Block. "7702 just unlocks a bunch of cool abilities that make sweeping addresses more cost efficient and less tedious."

Disclaimer: The content of this article solely reflects the author's opinion and does not represent the platform in any capacity. This article is not intended to serve as a reference for making investment decisions.

PoolX: Locked for new tokens.

APR up to 10%. Always on, always get airdrop.

Lock now!